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ABSTRACT 


The sniffer catches these bundles by setting the NIC card in the promiscuous 
mode and inevitably unravels them. The decoded data can be utilized in any 
capacity relying on the expectation of the individual concerned who translates 
the information (for example malevolent or useful reason). Contingent upon 
the organization structure one can sniff all or just pieces of the traffic from a 
solitary machine inside the organization. Nonetheless, there are a few 
techniques to dodge traffic narrowing by changes to access traffic from 
different frameworks on the organization. This paper centers around the 
essentials of packet sniffer and its working, creation of packet sniffer on Linux 
environment and its utilization Intrusion Detection System (IDS). 
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1. INTRODUCTION 

Network sniffer or packet sniffer both are sister term both of 
have different meaning but on a high level they have same 
work to sniff network traffic that is going from computer to 
network (outbound/ Egress) or network traffic that is 
coming from network to computer (inbound/ ingress) many 
person think that network sniffer is only use by hacker to 
launch attack well this statement is not wrong but is also not 
always true hacker generally try to find low hanging fruit for 
ex they try to. find which _ software version 
company/organization uses, open and closed port, bad 
security practice like employee use same password in 
multiple account or they try to find pattern of password in 
leak database etc sniffing a network packet is always last 
option for any cyber attack but why answer is simple due to 
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large amount of packet that comes every second on a single 
computer if start network sniffing only in 1 minutes more 
than thousands of packet was send and comes to my system 
not only for my system of any system in the world that is 
connected to internet there are two main reason for this first 
is reason due network is manage by many protocol work 
differently but they need one another to complete their work 
for ex in fig 1 there was screen shot of wire shark that show 
client communication between NTP(Network Time Protocol) 
without NTP no one in the world is able communicate NTP 
sync the clock of every system that connect to internet and 
there are many protocol that needed to establish a 
connection between two party 


9@ NTP Version 4, client 
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Figure 1 


16 3.549731 169.254.169.173 9@ NTP Version 4, server 


The second reason was this how the internet was made any connection was made is different from another connection and 
both connection has no relationship to another connection that was made this feature was also known as stateless nature of 
internet this nature was very important whit out this nature there is no way internet was able to work efficiently there is too 
much information to store in every network device fig 2 show the packet in hadoop slave sending heartbeat packet to master in 
every 3 seconds 
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@& Wireshark - Packet 17 - master.pcap — O x 





Frame 17: 389 bytes on wire (3112 bits), 389 bytes captured (3112 bits) A 
Ethernet II, Src: 02:68:61:4c:4a:20 (02:68:61:4c:4a:20), Dst: MS-NLB-PhysServer-@3 cc:cf:df:f2 (@2:03:cc:cf:df:f2) 
v Internet Protocol Version 4, Src: 15.206.210.162, Dst: 172.31.32.160 
@10@ .... = Version: 4 
.. 0101 = Header Length: 20 bytes (5) 

Differentiated Services Field: @x@@ (DSCP: CS@, ECN: Not-ECT) 

Total Length: 375 

Identification: @x3a67 (14951) 

Flags: @x40@@, Don't fragment 

...-@ Q@800 8808 B800 = Fragment offset: 9 

Time to live: 63 














8888 @2 03 cc cf df F2 ERAS! 4c 4a 20 08 08 45 00 3 E S A 
01 77 3a 67 40 08 3f G6 50 ea OF ce d2 a2 ac 1f w:g@-?- P 
20 a@ da a6 23 29 b9 18 c6 6b 96 ad Jc fa 88 18 #) k 
@2 di 8@ b7 @@ G8 O1 B1 O8 Ba cb 1f 86 65 ae eb 2 
bc 41 08 88 01 3f 08 BB O4 7b BO Bd 73 65 be 64 A---? {--send 
48 65 61 72 74 62 65 61 74 @@ O88 BG B86 BB 3b 6F Heartbea t 30 


72 67 2e 61 70 61 63 68 65 2e 68 61 64 6f 6F 78 rg.apach e.hadoop 
2e 68 64 66 73 2e 73 65 72 76 65 72 2e 78 72 6F  .hdfs.se rver.pro 
74 6F 63 6F 6c 2e 44 61 74 61 Ge 6Ff 64 65 52 65 tocol.Da tanodeRe 
67 69 73 74 72 61 74 69 6Ff Ge BB 3b 6F 72 67 2e ~~ gistrati on-;org. 
61 70 61 63 68 65 2e 68 61 64 6Ff 6F 78 2e 68 64 apache.h adoop.hd 
66 73 2e 73 65 72 76 65 72 2e 78 72 6F 74 6F 63 Ffs.serve r.protoc 
6f 6c 2e 44 61 74 61 Ge 6Ff 64 65 52 65 67 69 73 o1.Datan odeRegis 
74 72 61 74 69 6Ff be BB 14 31 35 2e 32 30 36 2e tration: -15.206. 








Bytes 6-8: IG bit (eth.src.ig) 








Figure 2 


Not just hadoop slave everywhere in the world of networking whenever we follow client server kind of architecture we have to 
send that small-small packet they are generally known as keep alive packets. This packet sent from client to the server at every 
fixed amount of time to say that Iam client aI am still connected to you this sound very tedious process but believe this method 
is much faster and reliable then doing TCP three way hand shaking protocol every time whenever client try to connect with 
server. 


Due to the following reason network packet is too big it takes good amount of computing power to find useful information that 
helps to launch an full-fledge cyber attack. 


So packet sniffer is mostly used by research in their research work not generally used by hacker that much like people said and 
sometimes is not an easy task to launch or start network sniffer in remote system because most network sniffer need admin or 
very high privilege that generally hacker didn't have 


2. Working 

Each machine on a local network has its own equipment address which varies from different machines’. At the point when a 
bundle is sent, it will be communicated to all accessible machines on nearby organization. Inferable from the common guideline 
of Ethernet, all PCs on a neighborhood network share a similar wire, so in ordinary circumstance, all machines on organization 
can see the traffic going through yet will be lethargic to those parcels don't have a place with themselves by disregarding. 
Nonetheless, if the organization interface of a machine is in promiscuous mode, the NIC of this machine can assume control 
over all bundles and a casing it gets on network, in particular this machine (including its product) is a sniffer. At the point when 
a bundle is gotten by a NIC, it first looks at the MAC address of the parcel to its own. On the off chance that the MAC address 
matches, it acknowledges the parcel in any case channels it. This is because of the organization card disposing of the apparent 
multitude of parcels that don't contain its own MAC address, an activity called promiscuous mode, which fundamentally implies 
that each organization card is staying out of other people's affairs and perusing just the edges coordinated to it. So as to catch 
the bundles, NIC must be set in the promiscuous mode. Bundle sniffers which do sniffing by setting the NIC card of its own 
framework to promiscuous mode, and consequently gets all parcels even they are not expected for it. Thus, bundle sniffer 
catches the parcels by setting the NIC card into promiscuous mode the bundle showing up at the NIC are duplicated to the 
gadget driver memory, which is then passed to the part cradle from where it is utilized by the client application fig 3 shows the 
flow of the packet inside a typical computer/system 
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Figure 3 
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3. SNIFFER COMPONENTS 

Basic Components of sniffers are:- 

A. The hardware: - Mostitems work from standard organization connectors, however some require extraordinary equipment. 
In the event that you utilize uncommon equipment, you can dissect equipment shortcomings like CRC blunders, voltage 
issues, link programs, “spills”, "jitter", arrangement mistakes, etc 

B. Capture driver:- This is the most significant part. It catches the organization traffic from the wire, channels it for the 
specific traffic you need, and afterward stores the information in a cradle. 

C. Buffer:-Once the frame are caught from the organization, they are put away in a buffer. 

D. Decode: - this shows the substance of organization traffic with illustrative content so an examination can sort out what is 
happening. 

E. Packet editing/transmission:- A few items contain highlights that permit you to alter your own organization bundles and 
communicate them onto the organization 


4. Pcap Library 

Pcap comprises of an application programming interface (API) for catching bundles in the organization. UNIX like frameworks 
actualizes pcap in the libpcap library; Windows utilizes a port of libpcap known as WinPcap. LIBPCAP is a broadly utilized 
standard parcel catch library that was produced for use with BPF (Berkely Packet Filter). BPF can be considered as an OS 
portion expansion. Itis BPF, which empowers correspondence between working framework and NIC. Libpcap is a C language 
library that broadens the BPF library develops. Libpcap is utilized to catch the parcels on the organization straightforwardly 
from the organization connector. This library is an in fabricated element of the working framework. It gives bundle catching 
and separating capacity. It was initially evolved by the tcpdump designers in the Network Research Group at Lawrence 
Berkeley Laboratory. In the event that this library is absent in the working framework, we can introduce it sometime in the not 
too distant future, as it is accessible as an open source. 


5. Promiscuous mode 

The network interface card works in two modes 
1. Non promiscuous mode (normal mode) 

2. Promiscuous mode 


At the point when a packet is gotten by a NIC, it first analyzes the MAC address of the bundle to its own. In the event that the 
MAC address matches, it acknowledges the bundle in any case channels it. This is because of the organization card disposing of 
the apparent multitude of bundles that don't contain its own MAC address, an activity mode called non promiscuous, which 
essentially implies that each organization card is staying out of other people's affairs and perusing just the edges coordinated to 
it. So as to catch the bundles, NIC must be set in the promiscuous mode. Bundle sniffers which do sniffing by setting the NIC 
card of its own framework to promiscuous mode, and thus gets all parcels even they are not proposed for it. In this way, parcel 
sniffer catches the bundles by setting the NIC card into promiscuous mode. To set an organization card to promiscuous mode, 
we should simply give a specific ioctl ( ) call to an open attachment on that card and the bundles are passed to the bit. Figure 4 
shows how the information sent by gadget A to gadget C is likewise gotten by gadget D which is set in promiscuous mode. 
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6. BOTTLENECK ANALYSIS 

With the expansion of traffic in the organization, the pace of the parcels being gotten by the hub likewise increments. On the 
appearance of the bundle at NIC, they must be moved to the principle memory for handling. A solitary parcel is moved over the 
transport. As we realize that the PCI transport has genuine exchange of not more than 40 to 50 Mbps in light of the fact that a 
gadget can have authority over the transport for certain measure of time or cycles, after that it needs to move the control of the 
transport. Also, we realize that the slowest part of a PC is circle drive in this way, bottleneck is made recorded as a hard copy 
the bundles to plate in rush hour gridlock delicate organization. To deal with the jug neck we can put forth an attempt to utilize 
buffering in the client level application. As indicated by this arrangement, some measure of RAM can be utilized as cradle to 
defeat bottleneck. 
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7. The IDS and Packet sniffer 

The expression ‘Intrusion Detection" infers finding assaults and dangers all through an endeavor or association, and reacting to 
those revelations. A portion of the mechanized reactions normally incorporate informing a security chairman by means ofa 
reassure, email, halting the culpable meeting, closing the framework down, killing down Internet connections, or executing a 
predefined order technique. In setting to our paper, as we realize that parcel sniffer can be utilized for noxious reason the 
equivalent can be utilized for intrusion detection moreover. Utilizing this approach, the Intrusion Detection programming is put 
on the framework, which puts the Ethernet card in "promiscuous mode’ with the goal that the product can peruse and 
investigate all traffic. It does this by looking at both the parcel header fields and bundle substance. The Intrusion Detection 
programming like parcel sniffers incorporates a motor, which searches for explicit kinds of organization assaults, for example, 
IP mocking and bundle floods. At the point when the bundle sniffer recognizes a potential issue it reacts quickly by telling to the 
overseer by different mode, for example, comfort, signaling a pager, sending an email, or in any event, closing down the 
organization meeting. The outline underneath shows a run of the mill arrangement of sniffers for doing bundle examination. A 
sniffer is put outside the firewall to identify assault endeavors originating from the Internet. A sniffer is additionally positioned 
inside the organization to identify Internet assaults, which enter the firewall and to help with distinguishing inner assaults and 
dangers. 


Network 


| Sniffer 


_ = 





Figure 5 


8. Various Network sniffing tool 

There are various tools for traffic analysis 

A. Wireshark: Wireshark is a free and open-source packet analyzer. Itis used for network troubleshooting, analysis, software 
and communications protocol development, and education. Originally named Ethereal, in May 2006 the project was 
renamed Wireshark due to trademark issues. Wireshark is cross-platform using pcap to capture packets; it runs on various 
Unix-like operating systems and on Microsoft fig 6 show the typical interface of wireshark in windows OS. 

B. Tcpdump: It is atypical packet analyzer that provide only CLI interface. It permits the client to capture and show TCP/IP 
and different parcels being sent or gotten over an organization to which the PC is connected. Dispersed under the BSD 
permit, tcpdump is free software. Tcpdump chips away at most Unixlike working frameworks: In those frameworks, 
tcpdump utilizes the libpcap library to catch parcels. The port of tcpdump for Windows is called Win Dump; it utilizes 
WinPcap, the Windows port of libpcap. 

C. Soft Perfect Network Protocol Analyzer: It is a advanced, proficient instrument for examining, troubleshooting, keeping 
up and observing nearby networks and Internet associations. It catches the information leaving through your dial-behind 
association or network Ethernet card, examines this information and afterward speaks to it in an effectively 
comprehensible structure. Soft Perfect Network Protocol Analyzer is a valuable apparatus for network executives, security 
pros, network application engineers and any individual who needs an exhaustive image of the traffic going through their 
network association or portion of a neighborhood. Soft Perfect Network Protocol Analyzer presents the consequences of its 
network investigation in a helpful and effectively reasonable configuration. It likewise permits you to defrayments and 
reassembles network parcels into streams. 


@ master.pcap _- x 
File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help 

4ecOURRE Ceol Zztsehaaan 

(Wi [Apply a display filter t G3 ~-)+ 














No. 


Time 
1 @.980000 
2 0.027934 
3 @.027950 
4 0.028012 
5 8.108602 
6 @.554877 
7 8.555154 
8 8.556050 
9 1.672634 
10 1.672894 
11 1.673318 
12 2.959708 


Source 
172.31.32.160 
27.54.181.132 
27.54.181.132 
172.31.32.160 
27.54.181.132 
15.206.210.162 
172.31.32.160 
15.206.210.162 
52.66.135.112 
172.31.32.160 
52.66.135.112 
65.0.132.174 


ly 


Destination 

27.54.181.132 
172.31.32.160 
172.31.32.160 
27.54.181.132 
172.31.32.160 
172.31.32.160 
15.206.210.16 


Protocol 
SSH 
TCP 


2 alee 


Length Info 
198 Server: Encrypted packet (len=144) 
54 195@ + 22 [ACK] Seq=1 Ack=145 Win=256 Len=0 
214 Client: Encrypted packet (len=160@) 
102 Server: Encrypted packet (len=48) 
54 1950 + 22 [ACK] Seq=161 Ack=193 Win=256 Len=@ 


389 55974 + 9001 [PSH, ACK] Seq=1 Ack=1 Win=721 Len=323 TSval=3407837867 TSecr=2934681736 
214 9001 + 55974 [PSH, ACK] Seq=1 Ack=324 Win=85@ Len=148 TSval=2934684737 TSecr=3407837867 — 


66 55974 + 90@1 [ACK] Seq=324 Ack=149 Win=721 Len=@ TSval=3407837869 TSecr=2934684737 


388 57872 + 9001 [PSH, ACK] Seq=1 Ack=1 Win=721 Len=322 TSval=3535610066 TSecr=1881251319 
214 9001 + 57872 [PSH, ACK] Seq=1 Ack=323 Win=147@ Len=148 TSval=188125432@ TSecr=3535610066 


66 57872 + 9001 [ACK] Seq=323 Ack=149 Win=721 Len=@ TSval=3535610067 TSecr=1881254320 


387 38700 + 9001 [PSH, ACK] Seq=1 Ack=1 Win=721 Len=321 TSval=3009920459 TSecr=98465945 


13 2.959988 172.31.32.160 -0. TCP 214 9001 + 38700 [PSH, ACK] Seq=1 Ack=322 Win=1311 Len=148 TSval=98468946 TSecr=3009920459 I 
14 2.960460 65.0.132.174 172.31.32.16@ TCP 66 38700 + 9001 [ACK] Seq=322 Ack=149 Win=721 Len=@ TSval=3009920460 TSecr=98468946 
15 3.549328 172.31.32.160 169.254.169.123 NTP 98 NTP Version 4, client 
16 3.549731 169.254.169.123 172.31.32.16@ NTP 98 NTP Version 4, server 
i /15.206.210.162 172.31.32.168 TCP 389 55974 + 9001 [PSH, ACK] Seq=324 Ack=149 Win=721 Len=323 TSval=3407840869 TSecr=2934684737 
172.31.32.160 15.206.210.162 TCP 214 9001 + 55974 [PSH, ACK] Seq=149 Ack=647 Win=85@ Len=148 TSval=2934687738 TSecr=3407840869 





19 3.557184 


15.206.210.162 


172.31.32.160 


TCP 


66 55974 + 9001 [ACK] Seq=647 Ack=297 Win=721 Len=@ TSval=3407840870 TSecr=2934687738 


> 


v 








Total Length: 
Identification: @x3a67 (14951) 
Flags: @x4000, Don't fragment 


375 


...8 0000 0000 0000 = Fragment offset: @ 
0000 [UYME—e@etassans: 02 68 61 4c 4a 20 08 08 45 00 


@1 77 3a 67 40 80 3f 06 
20 a@ da a6 23 29 b9 18 
@2 di 8@ b7 08 88 Q1 O1 
bc 41 08 88 01 3F 80 20 


a 








@ 7 Total Length (ip.len), 2 bytes 


5@ ea OF ce d2 a2 ac 1f 
c6 6b 96 ad 9c fa 80 18 
@8 @a cb 1f 86 65 ae eb 
@4 7b @@ Od 73 65 be 64 
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9. Conclusion 

In conclusion I have something to network sniffer is not a 
tool made for the hacker by the hacker network sniffing tool 
can be used by system administration, network 
administration, researcher, can be used increases the 
performance of the system by directly looking in side wire or 
can be used as a sub feature in more complex tool like 
IDS(Intrusion Detection System), IPS(Intrusion Prevention 
System) and Firewall are some of the example where we can 
use Packet sniffer tool. 
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